Stored XSS via SMTP Error Message

## Summary A Stored Cross-Site Scripting (XSS) vulnerability is identified on the `/account/email` page for www.xvideos.com. The vulnerability arises from the improper handling of SMTP error messages. These error messages are passed into the `html()` method without proper sanitization, allowing an attacker to store and execute arbitrary JavaScript code on the affected page. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). ## Steps to Reproduce 1. Configure a Postfix 3.7.11 SMTP server with the following settings: - Add to `/etc/postfix/main.cf`: ``` smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access, reject_unverified_recipient, permit ``` - Create `/etc/postfix/recipient_access` with: ``` [email protected] REJECT 5.1.1 <img src="" onerror="alert('hackerone!')" /> ``` - Update Postfix database: `postmap /etc/postfix/recipient_access` - Restart Postfix: `systemctl restart postfix` 2. Navigate to www.xvideos.com using an up-to-date browser. 3. Click on the "Join for FREE" button. 4. Create an account using the configured email address (e.g., [email protected]). 5. Once the account is created, go to the `/account/email` route. 6. Click on "Please click **Here** to validate it." 7. Wait approximately 45 minutes. If successful, an alert message saying "hackerone!" should appear on the screen. ## Impact The vulnerability allows an attacker running an SMTP server to inject their own JavaScript payloads targeting users of the affected sites. Users who misspell their email domain could also be affected if an attacker controls the mistyped domain. If staff members can view a user's bounce history in the same way as on the `/account/email` page, they may be subjected to an account takeover. These scenarios can result in the leak of sensitive information. The severity of this vulnerability is rated as low by the organization.